Alexander Bluhm <alexander.bl...@gmx.net> wrote: > On Thu, Jun 27, 2019 at 10:08:37PM +0100, Stuart Henderson wrote: > > #0 0x082eefff in botan_sha160_x86_32_compress () from > > /usr/local/lib/libbotan-1.10.so.1.1 > > This code is at a page boundary, so it traps into the kernel. There > it is detected that the esp register is currently not on the stack. > > The hand written assembler code in src/hash/sha1_x86_32/sha1_x86_32_imp.S > uses esp as a regular register. Its content is safed at the beginning > of the function and restored at the end. If there is a trap due > to a page boundary, the kernel stack guard kicks in and aborts the > process. > > Botan-1 is end of life. Perhaps we should just replace the i386 > assembler implementation with the regular C code.
Someone over-optimized without considering the consequences. Having such instruction code on a unaligned-instruction architecture is just too ripe for ROP gadget exploitation. I hope that .S code dies. Not going to delete the opportunistic ROP-pivot prevention mechanism....
